AW: FreeRADIUS 3 LDAP Questions

Hachmer, Tobias Tobias.Hachmer at
Tue Nov 26 09:00:02 CET 2013

Hello Arran,

thanks for your answer!

-----Ursprüngliche Nachricht-----
Von: at [ at] Im Auftrag von Arran Cudbard-Bell
Gesendet: Dienstag, 26. November 2013 08:30
An: FreeRadius users mailing list
Betreff: Re: FreeRADIUS 3 LDAP Questions

On 26 Nov 2013, at 06:56, Hachmer, Tobias <Tobias.Hachmer at> wrote:
>> As I understand everyone has to do the LDAP Attribute Mapping manually:
>> -       It would be much easier if the old ldap.attrmap would be translated already, maybe commented.
> Feel free to write a perl script to translate it into an update stanza.

I was afraid the answer would be like this. I just assume that there are a lot of systems out there using the freeradius provided ldap schema. Therefore I also assumed that this mapping is already done as it was in v2.
But I know, it's open source, so somebody has to do this.

>> -       All checkItems have to defined with "control: . := ."?
> or request: or reply: and it will default to request.

Thanks for the hint!

>> valuepair_attribute
>> -       Can I define multiple valuepair attributes? I just want radiusCheckItem and radiusReplyItem
> No, and they wouldn't operate how you expect anyway. They would both go into the request list.
> Again, a migration script might be useful.

Yeah, in my tests I recognized there are problem with some operators, like:
(0) ERROR: ldap : Invalid list qualifier "Aruba-User-Role :"
(0) WARNING: ldap : Failed parsing 'radiusReplyItem' value "Aruba-User-Role := "root"" as valuepair, skipping...

Could you please clarify here how this works and how could I translate this in a correct way from:

checkItem        $GENERIC$                        radiusCheckItem
replyItem        $GENERIC$                        radiusReplyItem

This is very important. I don't want to define a ldap attribute for each VSA.

Thanks in advance,
Tobias Hachmer

More information about the Freeradius-Users mailing list